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1  Introduction 

Distributed  systems  are  ubiquitous  in  computing  and  engineering,  yet  they  have  been  somewhat  obscured  in 
the  philosophical  world.  A  distributed  logic  is  a  collection  of  local  modal  logics  linked  together  by  distributed 
modal  connectives  each  of  which  takes  formulas  in  one  logic  and  returns  formulas  in  a  different  logic.  Se¬ 
mantically,  each  local  logic  is  interpreted  over  a  collection  of  worlds.  Let  this  collection  be  called  the  local 
collection  for  this  local  logic.  A  local  neighborhood  (nbd)  map  takes  each  world  to  a  set  of  worlds  taken  from 
the  local  collection  and  is  used  to  interpret  the  modal  connectives  of  the  local  logic.  The  distributed  modal 
connectives  are  also  interpreted  using  nbd  maps;  here,  the  nbd  maps  take  worlds  from  a  local  collection  of 
worlds  to  nbds  of  worlds  from  a  different  local  collection. 

Extra  properties,  via  logical  axioms  and  rules,  can  be  imposed  on  the  interpreting  nbd  maps.  This  is 
precisely  analogous  to  traditional  modal  logic  and  imposing  conditions  on  Kripke  relations  or  nbd  maps. 
Many  of  the  usual  conditions  such  as  normality  or  functionality  can  be  generalized  from  their  traditional 
counterparts.  The  selection  of  axioms  reflects  the  model  theory  one  needs  for  an  application.  If  one  adds 
enough  axioms  to  force  the  distributed  modal  connectives  to  be  normal  modal  connectives  (even  though  they 
map  from  one  logic  to  another),  the  interpreting  nbd  maps  can  be  defined  to  be  Kripke  relations  that,  here, 
span  local  collections.  There  are  other  approaches  to  locality  in  logic:  channel  theory  [6,  2],  institutions 
[13],  Chu  spaces  [7],  etc.  There  are  also  multi-agent  logic  systems  [12].  What  distinguishes  distributed  logics 
from  these  are  that  the  morphisms,  i.e.,  the  nbd  maps,  have  been  lifted  into  the  logic  and  hence  are  given 
properties  via  logical  axioms  and  rules. 

The  obvious  practical  question  is  “What  are  distributed  logics  good  for?”.  Consider  Fig.  1.  This  is 
a  simplified  view  of  an  actual  system.  The  cpu  issues  a  request  to  the  bus  master  to 
read  from  the  bus.  The  mux  either  connects  line  u  to  the  bus  or  leaves  it  undefined  as 
a  “tri-state  value”,  _L,  which  will  be  used  as  a  predicate  in  the  security  specification 
below.  The  control  line  tells  the  mux  when  to  make  the  connection.  The  formulas 
are  distributed  logic  statements  that  hold  of  the  bus  master : 

( control  =  0)  D  [c](_L(u)),  ( control  —  1)  D  [c](6«s  =  it) 

The  bus  master  does  not  have  access  to  the  line  u  and,  hence,  u  cannot  be  part  Figure  1 

of  the  bus  master's  state.  The  two  statements  hold  of  any  state  in  the  bus  master 

since  the  control  line  is  either  0  or  1.  Every  state  in  the  bus  master  is  related  to  at  least  one  state  of  the 
cpu-mux  via  the  control  line;  this  co-occurrence  relation,  which  will  be  called  C ,  is  used  in  interpreting  the 
(necessity)  distributed  modal  connective  [c]. 

Let  a  be  a  state  in  the  bus  master's  worlds  where  control  =  0.  The  evaluation  of  the  first  statement  is 
then 

O  h bus  master  ( control  =  0)  D  [c](_L(u)) 

•  .  CT  master  [C](-L(tl)) 

.'.  for  all  r  €  cpu-mux(Car  implies  r  j=cpu-mux  -L(u)) 

Note  how  the  appellation  of  the  semantic  turnstile  changes  from  bus  master  to  cpu-mux  as  the  formula  is 
evaluated. 


request 

1  cpu  1 

bus 

control  1 

r 

master 

mux  1 

1 

| 

1  bus 
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More  abstractly,  some  security  properties  of  distributed  systems  can  be  expressed  using  these  forms  of 
logic  statements.  Distribution  prevents  taking  large  cross  products  of  states  which  tend  to  degrade  the 
performance  of  model  checking  algorithms  beyond  reasonable  levels.  Intuitively,  although  space  prevents  us 
from  explicating  it  here,  distributed  logic  statements  can  be  paired  with  a  process  algebra  where  the  terms 
yield  something  like  a  tensor  product  of  states  of  the  components. 

There  is  another  use  for  distributed  logics  in  testing  systems.  The  situation  frequently  arises  where  one 
is  tasked  with  producing  a  distributed  system  for  a  system-on-a-chip  where  what  is  known  as  “foreign  IP 
(intellectual  property)”  must  be  used.  While  in  one  state  of  a  known  component,  tests  are  made  to  a  foreign 
IP  component.  The  tests  generate  neighborhoods  about  a  state  in  which  the  test  was  made.  The  situation 
is  similar  to  the  non-normal  diagram  in  the  next  section.  The  worlds  are  the  states  and  the  7Z  neighborhood 
map  indicates  tests  for  each  state  (world). 

2  The  Logic 

Distributed  logics  refer  to  all  the  logics  with  a  distribution  structure  as  we  will  specify  it  for  non-normal  and 
normal  modal  logics.  A  distributed  logic  starts  with  a  directed  graph  where  every  node  constitutes  a  local 
logic.  Each  node  is  a  classical  propositional  logic  with  a  set  of  modal  connectives,  and  any  axioms  and  rules 
to  govern  behavior.  The  graph  makes  apparent  the  structure  of  the  collection  of  the  local  logics.  Using  an 
arc  for  every  modal  connective  can  get  a  bit  “noisy”  due  to  classical  negation  and  defining  possibility  from 
necessity  or  vice  versa.  Instead,  arcs  specify  semantic  maps  that  must  exist  in  any  interpretation.  Each  arc 
is  then  a  bit  of  abstract  syntax  which,  in  an  interpretation,  will  be  turned  in  for  a  nbd  map. 

2.1  Conventions 

The  semantic  picture  for  models  of  two  local  logics  h  and  k  semantically  connected  by  either  a  nbd  map  1Z 
or  a  relation  7 Z  is  the  following  diagram: 


Worlds  for 
local  logic  at  h 


I  Worlds  for  7 

I  local  logic  at  k  / 


Worlds  for 
local  logic  at  h 


n 


Worlds  for 
local  logic  at  k 


Non-Normal 


Normal 


The  (r)  and  [r]  are  forward  looking  modal  connectives  in  that  their  interpretation  by  the  neighborhood  map 
7 Z  looks  forward  along  7 Z  from  head  to  tail.  The  (•»■•)  and  [-r-]  are  backwards  looking  modal  connectives.  Let 
x  be  world  for  h  and  y  be  a  world  for  k,  then  in  the  first  diagram,  'Hx1  7 Zx,  and  ICy  are  each  a  collection 
of  neighborhoods.  One  can  add  axioms  for  the  distributed  modal  connectives  to  force  the  nbd  maps  to 
be  simulation  relations  in  the  normal  case  and  to  respect  a  simulation  condition  for  neighborhoods  in  the 
non-normal  case. 

Other  axioms  can  require  that  the  relations  be  functions.  Using  both  simulation  and  function  axioms 
requires  that  the  relations  be  p-morphisms,  and  the  resulting  logic  is  simulation  logic  [4],  We  simplify  a  bit 
and  allow  the  indices  h  and  k  to  refer  to  a  local  logic  as  well  as  indexing  the  local  logic’s  modal  connectives, 
and  we  also  assume  there  are  only  the  modal  connectives  [fc],  (fc)  in  the  logic  for  k  and  similarly  for  h.  There 
are  no  problems  adding  more  modal  connectives  and  axioms  and  rules  to  govern  their  behavior.  In  particular, 
one  can  add  conditions  expressing  the  interaction  between  local  modal  connectives  and  distributed  modal 
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connectives.  We  use  the  simulation  axiom  (see  Axiom  FI  below)  to  illustrate  this.  There  are  a  wealth  of 
choices  that  are  driven  by  the  particular  distributed  system  under  consideration. 

In  sufficiently  weak  modal  systems,  it  is  not  necessary  that  a  point  be  a  member  of  its  neighborhoods. 
Here,  it  is  almost  a  requirement  or  the  notion  of  distribution  is  not  present.  Model  theoretically,  1Z  relates 
two  different  neighborhood  systems.  These  neighborhood  maps,  as  morphisms,  compose  and  there  is  an 
identity  for  each  domain  of  worlds.  In  the  normal  case,  the  morphisms  can  be  represented  as  relations  with 
suitable  modifications  of  the  definitions. 

The  notation  dorn(r)  refers  to  the  domain  or  source  of  the  arc  r  in  a  graph  and  cod(r)  refers  to  the 
codomain  or  target  of  the  arc,  r  :  dorn(r)  rx  cod(r).  We  use  the  locution  (ft)  g  dom(?’)  to  refer  to  a  modal 
connective  in  the  logic  associated  with  the  node  which  is  the  source  for  the  arc  r  :  h  rx  k.  The  symbol  =  is 
used  for  bi-implication ,  i.e.,  P  =  Q  stands  for  (P  D  Q)  A  (Q  D  P).  We  use  the  following  letter  conventions: 


entity 
h,  k,  l 

T  S 

W,H,  (s),H 
HH 

H,K 

UX 

(P,P,H),(AT,/C,K) 

K,S 


description 

nodes  and  endo-arcs  in  a  graph  © 
local  modal  connectives  at  nodes  h  and  k 
arcs  in  a  graph  © 

forward-looking  modal  connectives  for  arcs  r  and  s 
backward-looking  modal  connectives  for  arc  r 
sets  of  worlds  in  interpretations  for  logics  at  h ,  k 
interpret  modal  connectives  for  endo-arcs  at  h ,  k 
neighborhood  frames  for  the  logics  at  h  and  k 
interpret  modal  connectives  for  arcs  r  and  s 


We  will  assume,  without  loss  of  generality,  that  each  local  logic  can  be  interpreted  with  a  single  neigh¬ 
borhood  map.  Hence,  the  node  and  its  endo-arc  can  share  the  same  label  with  use  disambiguating  meaning. 
This  allows  us  to  equate  a  node  usually  labeled  h  or  k  with  the  modal  logic  at  that  node. 


2.2  Axioms  and  Rules 

A  local  logic  is  “local”  in  that  it  is  associated  with  one  node  in  the  graph.  In  this  paper,  the  accompanying 
notion  of  a  global  logic  does  not  entail  formulas  “spanning”  two  local  logics  in  the  sense  of  P  in  one  logic 
implying  Q  in  another  where  implying  is  reified  as  an  implication  connective  (and  similarly  with  other  two 
place  connectives) .  Each  formula  lives  entirely  within  a  single  local  logic  although  it  may  contain  subformulas 
from  others. 

The  distributed  logic  graphs  we  use  have  endo-diagrams ,  each  of  which  is  a  labeled  node  and  a  single 
endo-arc  (self-arc).  Each  endo-arc  will  be  translated  into  an  endo- morphism.  Each  node  is  required  to  have 
at  least  one  endo-diagram  whose  arc  will  be  translated  into  an  identity  morphism.  This  is  necessary  since 
the  models  for  the  logic  will  be  a  category.  The  graph  axioms  specify  which  local  logics  there  are  to  be, 
which  morphisms  are  to  appear  in  any  model,  and  force  identity  morphisms  to  exist.  Each  local  logic  may 
have  its  own  propositional  atoms  and  local  modal  connectives.  The  S  specification  and  A  and  B  axioms  are 
not  optional. 

Graph  Specification  S: 

SI.  A  graph  ©  of  nodes  and  arcs  S2 

A  set  D  of  endo-diagrams 

Axiom  Schemes  A:  For  each  node  in  ©, 

Al.  all  truth  functional  theorems  A2.  Modal  axioms  for  a  logic 

of  a  propositional  logic  at  this  node 

Each  node  h  must  contain  an  endo-diagram  for  each  class  of  modal  operators  in  its  local  logic.  A  class 
is  the  collection  {[ft],  (ft)}  if  the  local  logic  is  non-normal  and  {[ft],  (ft),  [ft-],  (ft)}  if  the  local  logic  is  normal. 

Axiom  Schemes  B:  These  axioms  force  arcs  to  be  interpreted  as  morphisms  in  a  category.  For  arcs 
r  :  h  rx  k  and  s  :  k  rx  l, 


An  endo-diagram  with  an 
arc  i  for  each  node  in  © 
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Bl.  P=[i]P  B2.  [r]  [s]P=  [s  O  r}p 

Axiom  Schemes  C:  Taken  all  together  these  axioms  would  force  the  distributed  modal  connectives  to 
be  normal.  Each  may  be  optionally  added. 

Cl.  [r]PA  HQd  H(PaQ)  C2.  [r](P  AQ)D[r]P  A[r]Q 

C3.  T  D  [r]  T 

The  Axiom  Schemes  C  should  be  present  to  specify  simulation  logic  [4];  they  also  allow  the  specification 
of  backward  looking  connectives  residuated  (see  [11])  with  their  forward  looking  counterparts.  Simulation 
logic  could  also  be  built  on  a  non-normal  basis  using  the  same  main  simulation  axiom.  However,  the  semantic 
conditions  then  involve  neighborhoods,  not  relations. 

Definition  of  Possibility:  (m)  P  =  -i  [m]  ->P,  m  €  {fc,  r} 

Rules  A:  For  each  local  logic  k, 

P  hfc  P  D  Q  hfc  (Pi  A  ■  ■  ■  A  Pn)  =  P 

HQ  hfc  (M  Pi  A  •  •  •  A  M  Pn)  =  [*]  p 

Rule  B:  For  each  r  :  h  rxk  arc  in  0, 

hfc  (Pi  A  •  •  •  A  Pn)  =  P 
I- h  (H  Pi  A  •  •  •  A  [r]  Pn)  =  [r]  P 

where  the  subscripted  b  indicates  the  local  logic  to  which  the  proof  sign  attaches. 

We  will  only  be  concerned  with  the  forward  versions  of  necessity  and  possibility  connectives  since  the 
backwards  versions  are  so  similar.  The  backward  versions  are  only  present  for  normal  systems. 

2.3  Options 

Axiom  Schemes  D:  The  D  axioms  are  examples  of  extra  properties  to  be  enforced  on  the  interpreting 
morphisms.  Other  axioms  can  be  added  as  well,  we  use  these  as  paradigm  examples: 

Dl.  [r\PD(r)P  D2.  (r)PD[r]P 

In  non-normal  systems,  the  axiom  Dl  specifies  consistency  and  the  axiom  D2  specifies  completeness,  both 
with  respect  to  the  collection  of  neighborhoods  about  any  world  when  the  world  is  in  the  source  of  the  nbd 
map  used  in  interpreting  [»~]  and  (r).  In  normal  systems,  the  first  specifies  the  interpreting  relation  be  total 
on  its  domain  and  the  second  that  it  act  functionally  (see  Section  3.1). 

Axiom  Schemes  E:  The  axiom  El  is  only  necessary  if  you  wish  the  classical  proposition  logic  at  dom(r) 
to  be  included  in  the  logic  at  cod(r).  This  condition  is  part  of  the  definition  of  simulation  [9]  although  it  is 
not  strictly  necessary  in  that  it  can  be  removed  without  damaging  the  logic. 

For  all  propositional  letters  p, 

El.  p  D  [r] p 

From  now  on,  a  distributed  logic  contains  at  least  the  specification  S  and  axiom  schemes  A  and  B, 
and  the  Definition  of  Possibility,  and  the  rules  A  and  B.  Normal  distributed  logics  include  the  non-normal 
axioms  and  rules  and  the  Axioms  Schemes  C.  Axiom  Schemes  C  can  also  be  added  individually  rather  than 
en  masse  if  only  a  subset  of  the  properties  of  normality  are  desired.  The  Axiom  Schemes  D  are  of  interest 
and  we  have  modeling  conditions  for  them.  The  Axiom  Scheme  E  must  be  handled  quite  separately  in  the 
semantics.  Other  axioms  can  be  added,  we  stop  with  the  list  chosen  for  the  purposes  of  this  presentation. 

Axiom  Scheme  F:  Simulation  logic  [4]  requires  for  an  arc  r  :  h  r\  k  in  0,  and  modal  connectives 
[fc]  €  dom(r),  [fc]  €  cod(r), 
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FI.  (r)  [fc]  P  D  [ft]  (r)  P 

In  normal  distributed  logics,  the  axiom  FI  forces  the  arcs  in  the  graph  to  be  interpreted  as  simulation 
relations  and  B2  forces  composition  of  relations  to  hold,  where  a  simulation  relation  is  one  “half”  of  a 
bisimulation  [16].  One  common  use  of  the  simulation  relation  is  when  the  interpretation  of  (r)  via  a  relation 
TZ  is  a  p-morphism.  To  force  this,  add  the  Axiom  Schemes  C  and  D  to  the  simulation  axiom. 


3  Frames  and  Algebras 

In  keeping  with  our  simplifications,  assume  there  is  only  one  local  modality  per  frame,  including  both  a 
□  and  0  since  they  are  inter-definable.  More  modal  connectives  can  be  added  if  needed  if  needed  by  the 
particular  distributed  system  under  consideration. 

3.1  Frames 

Definition  3.1.1  A  neighborhood  frame  is  a  structure  TL  =  (H,TL,  H)  such  that  H  is  a  collection  of  worlds, 
H  is  a  collection  of  neighborhoods  which  are  subsets  of  H  and  the  entire  collection  is  closed  under  the 
Boolean  operations  and  under  the  operations  [ft],  (ft)  :  H  -►  H  given  by: 

[ft]  C  =  {x  G  H  |  C  G  Hx},  (ft)  C  =  {x  G  H  |  -C  (jL  Hx}, 

with  where  —C  is  the  set  complement  of  C  in  H.  H  :  H  ->  'PH  is  a  nbd  map  taking  every  world  of  H 
into  a  collection  of  neighborhoods.  We  use  the  same  symbol  for  the  frame  and  its  nbd  map,  and  let  use 
disambiguate  what  is  meant. 

Each  node  in  a  distributed  logic’s  graph  has  a  local  logic  associated  with  it.  That  local  logic,  in  turn, 
must  have  a  neighborhood  frame  associated  with  it. 

Definition  3.1.2  Let  H  and  K,  be  neighborhood  frames.  A  nbd  map  TZ  :  H  -*■  1C  is  a  map  (also  using  the 
symbol  TV}  TZ  :  H  -*■  VK  such  that  for  any  del, 

[r]  C  =  {x  £  H  \  C  £  IZx}  £  H,  (r)  C  =  {x£H\-Cg  TZx}  £  EL 

Let  1Z  :  H  -*■  K  and  S  :  JC  -*■  C  be  morphisms.  The  identity  morphism  I  :  P  -►  P  and  the  composition 
S  o  1Z  :  fi  -*■  C  are  defined  with  (x  G  H) 

lx  =  {C  G  El  |  x  G  C},  (S  o  1Z)X  dd  {C  G  L  |  {y  :  C  G  Sy}  G  1ZX}. 


Each  arc  r  :  h  rx  k  of  the  graph  must  be  associated  with  a  semantic  morphism  in  the  interpretation. 
The  semantic  morphisms  are  neighborhood  maps  TZ  :  H  -►  VK  where  K  is  the  collection  of  neighborhoods, 
i.e. ,  the  K  in  (K,  /C,K).  In  the  normal  case,  the  neighborhood  maps  can  be  replaced  with  relations.  These 
relations  are  derivable  in  the  usual  way  [10],  i.e.,  IZxy  iff  y  G  f]^2"  that  is,  take  intersection  of  all  the 
neighborhoods  at  x  under  TZ. 

Note  that  the  definition  for  composition  can  be  rewritten  as 

(S  o  TZ)X  =  {C  G  L  |  [s]  C  G  1ZX} 

using  the  Definition  3.1.2  for  [«]  C.  The  definition  is  found  in  Manes  [14]  for  the  Kleisli  category  of  the  double 
power  set  monad.  Our  models  are  always  in  the  category  of  neighborhood  frames. 

Each  node  representing  a  distinct  local  logic  must  be  mapped  to  a  distinct  frame  object  in  any  interpre¬ 
tation.  This  informal  way  of  restricting  interpretations  is  the  result  of  treating  the  graph  as  not  defining 
everything  in  a  distributed  logic,  but  the  alternative  would  make  the  logic  impenetrable. 

The  corresponding  Kripke  frame  conditions  for  the  logical  axioms  are 
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Frame 

Conditions  S: 

FS1. 

A  category  of  local 
neighborhood  frames  and 
neighborhood  maps 

FS2. 

An  identity  morphism 
for  the  i  arc  in  D  G  D 

Frame 

Conditions  A:  For  each  node  in  0, 

FAl. 

A  set  of  classical  worlds 

FA2. 

Frame  conditions  for  a 
local  logic  at  this  node 

Frame 

Conditions  B:  For  I:H->M.,TZ:H- 

»•  K  and  S  : 

K  L  in  0 

FBI. 

lx  =  {C  eU\x  eC} 

FB2. 

(Sohl)x  = 

{CgL  |  [s]  C  G  Ux} 

Frame 

Conditions  C: 

FC1. 

B,C  G  TZx  implies 

BDCg  1Zx 

FC2. 

B  G  1ZX  and 

B  C  C  implies  C  G  1ZX 

FC3. 

T  G  TZX 

Frame 

Conditions  D: 

FD1. 

C  G  1ZX  implies  —C^  1ZX 

FD2. 

C  1ZX  implies  —  C  G  1ZX 

Frame 

Condition  F: 

FF1. 

— {y  C  G  K.y}  fL  IZx  implies 

{z\-C(f  7 lz}  G  Ux 


with  the  convention  that  the  nbd  maps  that  use  upper  case  script  relation  letters  will  interpret  modal  con¬ 
nectives  that  use  the  corresponding  lower  case  Roman  letters.  Each  distributed  frame  category  interpreting 
a  distributed  logic  will  have  the  conditions  matching  the  axioms.  The  frame  conditions  S,  A,  and  B  are 
always  assumed,  the  others  are  required  if  the  corresponding  axioms  are  present  in  the  modeled  local  logic. 

Slightly  different  frames  are  used  for  the  axiom  El;  the  local  frames  will  contain  functions  to  interpret 
constants,  one  for  every  atomic  proposition  of  the  local  logic  for  which  the  local  frame  provides  a  model. 
The  following  proposition  allows  for  the  use  of  one  neighborhood  frame  per  local  logic. 

Proposition  3.1.3  There  are  no  provable  instances  of  formulas  of  the  form  P  •  Q  for  •  G  {D,  A,  V}  with  P 
in  one  local  logic  and  Q  in  different  local  logic. 

The  proof  is  an  easy  induction  on  the  axiom  schemes  and  rules.  The  consequence  is  that  no  formula  in 
the  logic  has  a  binary  connective  between  formulas  in  two  different  local  logics. 

Note  that  we  stated  the  above  proposition  in  terms  of  formula  “instances”  rather  than  formulas  because 
it  is  possible  to  attach  a  local  logic  to  more  than  one  node  in  the  graph.  In  effect,  this  would  give  more  than 
one  instance  of  the  logic  in  the  entire  distributed  logic. 

Using  the  semantics  conditions,  it  is  easy  to  show  that 

x  \=n  w  [r]  ~<P  iff  x  \ =H  (r)  P, 

hence  the  definition  of  (r)  in  terms  of  [»~]  makes  sense.  A  distributed  category  model  has  neighborhood  frames 
for  every  node  with  a  valuation  for  each  node.  The  morphisms  are  neighborhood  maps. 

Definition  3.1.4  A  distributed  category  model  is  a  neighborhood  frame  category  with  a  valuation  and  a 
local  frame  for  each  local  logic.  The  local  frame  and  its  valuation  are  called  a  local  model.  A  valuation 
specifies  a  collection  of  points  in  the  local  frame  where  the  atomic  propositions  are  true. 
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3.2  Algebras 

We  rely  on  heterogeneous  (multisorted)  algebras  [8]  for  the  free  algebra  construction.  The  categorical  version 
is  most  easily  accessible  in  [1]  who  attribute  the  multisorted  (non-categorical)  case  to  [8]. 

Definition  3.2.1  (BirkhofF  and  Lipson  [8])  A  heterogeneous  algebra  is  a  system  A  =  [Jzf,  F]  in  which 

1.  =  {.S',}  is  a  family  of  non-void  sets  Si  of  different  types  of  elements,  each  called  a  phylum  of  the 
algebra  A.  The  phyla  Si  are  indexed  by  some  set  I;  i.e.,  Si  €  for  i  £  I  (or  are  called  by  appropriate 
names). 

2.  F  =  {fa}  is  a  set  of  finitary  operations  operations ,  where  each  fa  is  a  mapping 

fa  •  l,a)  X  ^i(2,a)  X  •  •  •  X  Sp( a) 

for  some  non-negative  integer  n(a),  function  ia  :  j  -*•  i(j,  a)  from  n(a )  =  {1,2,...,  n(a)}  to  I,  and 
p(a)  €  I.  The  operations  fa  are  indexed  by  some  set  Cl;  i.e.,  fa  G  F  for  a  €  (or  are  called  by 
appropriate  names). 

Definition  3.2.2  A  distributed  algebra  appropriate  for  a  distributed  logic  is  a  heterogeneous  algebra  with 
a  modal  algebra,  called  a  local  modal  algebra,  for  each  node  of  a  graph,  identity  modal  operators  for  each 
node,  and  distributed  operators  (r)  and  [»•]  for  every  arc  r  of  the  graph.  For  r  :  h  rx  k  in  the  graph, 

•  H  [s]  a  =  [«  °  r]  a; 

•  [*]  a  =  a,  for  the  i  arc  in  an  endo-diagram; 

•  if  the  Axiom  Schemes  C  are  used 

—  [»-]  a  A  [»~]  b  <  [r](a  A  b); 

—  [r]  (a  A  b)  <  [»•]  a  A  [r]  b; 

—  Th  =  [r]  Tk,  for  T  the  top  of  a  Boolean  lattice;; 

•  if  Axiom  Schemes  D  are  used 

—  [r]  a  <  ( r )  a; 

—  (r)  a  <  [>•]  a; 

•  (r)  [fc]  a  <  [^]  (r)  a,  if  Axiom  Scheme  F  is  used. 

The  axiom  El  will  be  handled  in  the  next  subsection  where  we  must  add  constant  operations  and  functions 
to  help  interpret  the  propositional  atoms. 

Appropriate  distributed  algebras  give  a  “localization”  view  of  heterogeneous  algebras  which  is  isomorphic 
to  the  definition  given  above.  Each  phylum  Si  with  operators  defined  only  upon  Si  is  a  local  modal  algebra. 
The  operations  associated  with  r  :  h  rx  k  of  the  graph  map  from  a  local  modal  algebra  to  a  local  modal 
algebra.  This  stratifies  the  heterogeneous  distributed  algebra  and  treats  every  local  modal  algebra  as  an 
object  in  the  surrounding  distributed  algebra. 

Algebraic  versions  of  soundness  and  completeness  depend  on  the  Lindenbaum-Tarski  (LT)  algebra.  We 
must  first  show  that  the  operators  all  respect  the  congruence  of  bi-implication  induced  on  the  local  word 
algebras  by  the  local  logics.  The  only  operators  not  already  covered  in  previous  modal  algebraic  work  are 
the  distributed  operators. 

Lemma  3.2.3  The  distributed  operators  respect  bi-equivalence. 
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The  connective  [r]  respects  bi-equivalence  because  of  the  Rule  B.  Using  Boolean  negation,  it  is  easy  to 
show  that  (r)  does  as  well. 

Next,  we  must  show  that  the  LT  algebra  is  actually  a  distributed  algebra.  The  only  operators  that  are 
at  issue  are  the  distributed  operators. 

Lemma  3.2.4  The  LT  distributed  operators  satisfy  the  required  properties  for  a  distributed  algebra. 

The  equivalence  classes  for  the  LT  algebras  are  defined  (as  usual)  with  |PJ  =  {Q  \\-u  P  =  Q}.  The 
operators  are  defined  inductively,  i.e.,  |PJ  A  |Q1  =  |P  A  QJ,  [r]|P|  =  |[r]  PJ. 

Corollary  3.2.5  The  LT  heterogeneous  algebra  is  a  distributed  algebra. 

Proof:  (Proof  Outline)  The  free  heterogeneous  algebra  is  the  usual  algebra  of  equivalence  classes  of  terms 
in  the  variables  as  generators.  One  runs  the  induction  procedure  to  get  the  word  algebras  over  all  the  local 
logics  simultaneously  [8],  then  divide  out  by  the  equalities  in  each  algebra.  Proposition  3.1.3  shows  that  no 
additional  sorts  over  and  above  the  local  modal  algebra  carrier  sets  are  necessary.  Lemma  3.2.3  shows  that 
the  replacement  property  for  the  bi-implication  congruence  holds  for  each  operator.  Finally,  Lemma  3.2.4 
shows  each  of  LT  operators  satisfy  the  distributed  algebra  axioms.  ■ 

Theorem  3.2.6  Distributed  Logic  is  sound  with  respect  to  the  algebraic  and  distributed  frame  category  mod¬ 
els. 

outline:  Soundness  over  the  algebraic  models  is  an  induction  starting  with  a  valuation  into  a  distributed 
algebra  and  then  using  the  fact  that  the  LT  algebra  is  a  free  algebra  for  the  heterogeneous  class  of  distributed 
algebras.  From  this,  it  is  easy  to  see  that  D  interprets  to  <  in  the  algebra.  The  axioms  of  the  LT  algebra 
clearly  interpret  to  the  axioms  of  the  logic,  and  the  rules  of  the  logic  preserve  truth  in  the  algebra.  The 
free  heterogeneous  algebras  are  then  used  to  generate  the  universal  morphism  for  any  interpretation  into  a 
heterogeneous  modal  algebra  thus  validating  the  axioms  and  rules. 

The  Frame  Conditions  FS1,  FS2,  FBI,  and  FB2,  given  the  work  in  Manes  [14]  on  the  double  power  set 
monad  restricted  to  neighborhoods,  show  that  the  neighborhood  maps  are  the  Kleisli  morphisms  and  hence 
form  a  category,  so  the  identity  and  associative  laws  of  categories  are  met.  In  the  presence  of  the  normal 
axioms,  the  previous  prescription  for  manufacturing  relations  from  neighborhood  maps  shows  these  frame 
conditions  ensure  the  maps  act  like  Kleisli  morphisms  for  the  power  set  monad  restricted  to  neighborhoods. 
The  rest  of  the  axioms  and  rules  are  easily  checked. 


The  canonical  frame  is  generated  by  the  LT  algebra;  the  frame’s  neighborhoods  are  the  output  of  repre¬ 
sentation  function  for  the  LT  algebra.  The  representation  function  /?  is  defined  by 

(3a  =  {x  |  a  €  x  and  a;  is  a  maximal  filter}. 

Let  MA(/i),MA(fc)  stand  for  the  local  modal  algebras  and  CF(/i),  CF(k)  stand  for  the  canonical  frames  at 
h  and  k  respectively.  To  get  a  frame  category  from  the  LT  modal  algebra  requires  that  one  take  the  (dual) 
Stone  space  containing  all  the  maximal  filters  of  each  local  algebra  and  define  the  local  neighborhood  maps 
with: 

(3a  £  Hx  iff  [ft]  a  £  x. 

Since  [ft]  and  (ft)  are  DeMorgan  duals  of  each  other  and  (3  is  a  homomorphism, 

—(3a  ^  TLx  iff  (3^a  fL  Tlx  iff  [ft]  ~^a  fL  x  iff  ->  [ft]  ->a  £  x  iff  (ft)  £  x. 

These  same  definitions  work  for  the  canonical  relation  1Z  for  r  :  h  rx  k  where  now  a  £  MA(fc),  [r]  a,  (r)  a  £ 
MA(/i),  x  £  CF (h),  and  IZx  C  IK  for  K  the  neighborhoods  of  CF(k). 

It  is  not  hard  to  show  that  (3  [ft]  a  =  [ft]  (3a  and  (3  (ft)  a  =  (ft)  (3a.  Set  union,  intersection,  and  set  comple¬ 
ment  interpret  the  classical  logic  logic  connectives  V,  A,  and  The  only  question  is  the  status  of  (r),  [r]  for 
r  :  h  rx  k. 


Lemma  3.2.7  For  a  £  MA(fc)  and  (r)  a  £  MA(/i), 

/3[r]  a  =  [i~]  (da  and  fd  (r)  a  =  (r)  fda. 

Proof:  x  £  fd[r\a\R  [r\a  £  x  iff  fda  £  IZx  iff  x  £  [»■]  fda.  The  proof  for  (r)  is  similar.  ■ 

The  modal  completeness  argument  is  the  usual  algebraic  argument  [11]  using  contraposition  and  the  frame 
argument  uses  the  canonical  frame  derived  from  a  representation  theorem  [3,  11].  The  modal  representation 
theorem  represents  a  modal  algebra  as  an  algebra  of  sets  using  the  canonical  frame  (Stone  space)  of  the 
algebra.  One  defines  the  1-1  homomorphism  fd  on  the  distributed  algebra  for  each  carrier  set  and  the 
operations  using  the  above  prescriptions. 

Theorem  3.2.8  Distributed  Logic  is  complete  with  respect  to  the  distributed  algebras  and  the  distributed 
category  models. 

Proof:  From  Proposition  3.1.3,  we  need  only  concern  ourselves  with  formula  (instances)  which  sit  entirely 
within  a  single  local  logic.  So  one  presents  the  formula  instance  at  issue  and  then  picks  the  local  logic  for 
which  it  must  be  determined  whether  it  is  a  theorem.  The  argument  is  a  contraposition  argument  using  the 
LT  heterogeneous  algebra  and  its  canonical  frame  category. 

Note  that  any  theorem  without  an  implication  as  the  main  connective  can  be  outfitted  with  one  because 
b  P  iff  b  T  D  P  where  T  is  the  truth  constant  in  a  local  logic.  Hence  we  need  only  check  implications. 
Suppose  \f  P  D  Q,  then  |PJ  |Q|  in  the  LT  algebra  where  [P],  [Q\  are  the  bi-implicational  equivalence 
classes.  This  along  with  Corollary  3.2.5  is  enough  for  algebraic  completeness. 

For  frame  completeness,  there  is  maximal  separating  filter  x  such  that  |P|  £  x  and  |Q|  ^  x,  i.e., 
x  £  /3|PJ  and  x  fL  /3|QJ,  so  x  \=  P  and  xty=Q.  Therefore  there  is  a  local  model  falsifying  the  non-tlreorem, 
and  hence  a  distributed  category  model  falsifying  the  non-theorem. 

Taking  the  contrapositive  in  the  algebraic  and  frame  cases  yields  the  required  result.  ■ 

3.3  The  Axiom  Schemes  E 

The  axiom  El  requires  some  special  treatment.  The  algebra  will  now  have  a  collection  of  constant  operators, 
one  for  each  propositional  atom  in  the  language. 

Definition  3.3.1  An  E  local  modal  algebra  is  a  local  modal  algebra  with  a  collection  of  (local)  constant 
operations.  Note  that  two  constant  operations,  being  functions,  can  point  to  the  same  element  of  the  local 
modal  algebra.  The  Lindenbaum-Tarski  E  local  modal  algebra  has  each  constant  operation  pointing  out  the 
equivalence  class  of  the  propositional  atom  to  which  it  attached.  In  symbols,  if  p  is  a  propositional  atom, 
then  its  constant,  nullary  operation,  crp,  is  such  that  <jp  =  p  in  the  word  algebra  of  the  logic  and  op  =  |p| 
in  the  LT  algebra.  In  addition  to  any  axioms  necessary  for  the  local  modal  logic,  we  add  the  axiom 

<?p  <  H  CTp 

for  an  arc  r  in  the  diagram  to  another  node.  This  effectively  forces  [p]  <  [r][p]  for  any  interpretation  [— ]. 
We  also  require  the  logic  at  cod(r)  to  contain  at  least  the  same  propositional  atoms  as  those  at  dorn(r). 

Definition  3.3.2  A  E  neighborhood  frame  is  a  neighborhood  frame  with  a  collection  of  constant  functions, 
fp,  one  for  each  propositional  atom.  A  constant  function  selects  an  element  of  the  set  algebra,  i.e.,  a 
neighborhood. 

Fix  a  distributed  algebra  with  any  necessary  E  local  modal  algebra.  Modal  valuations  vary  over  what 
gets  assigned  to  the  propositional  atoms.  Here,  the  valuations  must  be  consistent  with  the  nullary  operations 
associated  with  each  atom.  We  get  the  variation  necessary  for  valuations  by  choosing  different  algebras  which 
agree  on  everything  except  the  nullary  operations.  So  the  variation  gets  satisfied  at  a  slightly  higher  level. 
A  similar  statement  holds  for  E  neighborhood  frames.  The  inductive  definition  generating  interpretations 
from  valuations  remains  the  same  and  hence  the  restriction  on  valuations  gets  transferred  to  interpretations. 
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Definition  3.3.3  An  E  local  algebra  valuation,  [— ],  must  take  every  propositional  atom  to  an  element  of 
the  carrier  set  pointed  to  by  the  nullary  operation  for  that  atom,  i.e.,  if  op  =  a,  then  [p]  =  a.  Similarly,  for 
a  E  local  neighborhood  frame  and  valuations  [— ],  we  demand  [p]  =  C  if  fp  =  C.  Also,  we  demand  that  for 
r  :  h  rv  k,  the  r  interpreting  relation  1Z  must  respect  the  constant  functions  in  the  sense  that  x  G  fp  at  the 
neighborhood  frame  for  h  and  fp  G  7 Zx  at  the  neighborhood  frame  for  k. 

For  the  LT  algebra,  op  =  p  in  the  word  algebra  forces  op  =  |p|  in  the  LT  algebra.  The  result  is  that  we 
get  the  same  LT  algebra  as  we  would  have  without  the  nullary  constants.  The  universal  property  of  the  free 
algebra  with  respect  to  unique  maps  to  the  other  E  local  modal  algebras  are  unaffected  since  the  restriction 
on  interpretations  will  force  the  unique  maps  to  choose  the  same  elements  of  the  algebras  to  which  the  nullary 
operations  point  for  the  respective  propositional  atoms.  In  the  freeness  diagram  below,  p  indicates  some 
propositional  atom  in  the  language,  F Ah  is  the  carrier  set  of  the  local  modal  logic  for  h  inside  of  the  free 
algebra  A.  The  algebra  B  is  some  other  appropriate  distributed  algebra,  and  7  is  an  induced  interpretation 
from  the  freeness  property  of  A, 

SL(h,k  G  ©) - - - -  A(FAh,FAk  G  {Si},  0^,0^  G  OpsA) 
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B{Bh,Bk  G  {Ti},o^,o^  G  OpsB) 

The  algebra  B  has  no  notion  of  propositional  atoms.  The  <jp,  being  operations,  are  preserved  by  g.  Hence, 
rj(p)  =  <rpAh  and  g(r](p))  =  g(fxpAh)  =  CpBh-  Since  the  diagram  commutes,  q(p)  =  opBh. 

The  extension  to  distributed  algebras  and  distributed  category  models  are  called  E  distributed  algebras 
and  E  distributed  category  models. 

Theorem  3.3.4  Distributed  logics  with  the  E  axioms  are  sound  and  complete  with  respect  to  E  distributed 
algebras  and  E  distributed  category  models. 

4  Conclusions  and  Future  Work 

Distributed  logic  is  best  viewed  as  a  logical  toolbox  that  contains  many  different 

logics  which  are  configured  by  axioms.  One  selects  a  graph  structure  for  the  local 
logics  and  then  axioms  and  rules  based  upon  a  particular  application.  Many  of  the 
common  modal  axioms  can  be  altered  to  fit  distributed  modal  connectives.  The 
simulation  axiom  shows  this.  As  a  further  example,  consider  the  Euclidean  axiom 
(in  a  normal  modal  logic)  (h)  P  D  [*.]  (/i)  P  and  its  validating  condition  dixy  and 
dixz  implies  Tiyz.  In  distributed  form  for  r  :  h  rx  k  in  Figure  2,  this  becomes 
(r)  P  d  [r]  (fc)  P  and  the  condition  becomes  IZxy  and  7 Zxz  implies  ICyz. 

The  situation  in  Figure  2  models  a  real  situation.  The  relation  7 Z  between  „  .  ,  „  .  , 

Domain  h  Domain  k 

domain  h  and  k  is  an  artefact  of  the  model  and  as  such,  deserves  to  be  represented 

in  a  logic  over  the  model.  This  is  the  sense  in  which  distributed  logic  could  be  Figure  2 

considered  a  model  theoretic  logic  [5] .  One  must  make  choices  up  front  before  parts 

of  the  toolbox  come  together  for  a  logic;  the  choices  are  made  because  models  of  a  particular  kind  are 
needed  for  an  application.  A  good  source  of  applications  which  require  distributed  reasoning  are  the  security 
guarantees  necessary  for  system-on-a-chip  architectures.  In  on-going  and  future  work,  we  are  expanding  the 
use  of  distributed  logics  to  provide  a  programming  logic  for  a  hardware  specification  language  called  ReWire 

[!5].  ' 

More  philosophically  speaking,  modal  logics  come  with  a  model  theory  which  includes  morphisms  between 
models.  The  logic  is  abstracted  over  the  model  theory  giving  valid  axioms  and  rules  for  reasoning  about  the 
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models.  Since  morphisms  are  used  in  the  model  theory  to  describe  critical  aspects  of  the  model,  the  obvious 
question  is  why  are  these  aspects  not  formalized  the  logics.  The  work  in  this  paper  (and  its  predecessor  [4]) 
represents  the  first  steps  in  this  direction. 

Part  of  the  problem  with  including  morphisms  in  a  logic  is  deciding  which  morphisms  should  be  included 
and  how  are  they  structured.  Category  theory  presents  us  with  the  theory  of  morphisms.  Considering  modal 
logic,  one  could  have  started  with  p-morphisms.  The  approach  we  have  taken  is  to  generalize  the  notion  of 
what  should  be  considered  a  model  theoretic  morphism  and  then  use  logical  axioms  to  give  the  morphisms 
the  properties  desired.  In  effect,  we  are  choosing  logical  morphisms  that  preserve  only  some  structure,  not 
all  structure  unless  that  is  what  is  desired.  The  axiom  system  is  then  used  as  an  array  of  control  switches  to 
configure  distributed  logics.  In  addition,  the  morphisms  can  be  fine  tuned  between  some  local  logics  but  not 
imposed  between  all  local  logics  within  a  distributed  logic.  This  accords  well  with  the  notion  that  distributed 
logics  should  be  useful  for  representing  reasoning  about  distributed  systems  where  there  is  much  variation 
and  nuance  that  must  be  represented  formally. 

Space  prevents  us  from  also  covering  two-place  intensional  connectives  such  as  relevance  logic’s  entail- 
ment.  That  too  has  a  pleasant  reconstruction  in  distributed  logic,  although  the  three  place  relations  require 
an  extended  notion  of  categorical  morphism.  Distributed  logic  was  originally  formulated  with  relations. 
Consideration  of  testing  for  foreign  IP  in  system-on-a-chip  designs  forced  the  use  of  neighborhood  systems. 
The  ease  of  modification  of  distributed  logic  forced  by  two  place  intensional  connectives  and  weak  modal 
connectives  requiring  a  neighborhood  semantics  is  part  of  a  larger  theme  for  distributed  logic:  many  model 
theoretic  notions  are  “orthogonal”  to  distribution  in  that  they  do  not  seem  to  cause  any  significant  hurdles  to 
their  re-expression  in  a  distributed  system.  Some  model  theoretic  notions,  such  as  morphism,  are  inherently 
distributed.  Some,  such  as,  Kripke  relations,  can  be  re-expressed  as  distributed  notions.  The  bounds  of  what 
is  possible  seems  to  be  related  to  the  question  of  what  is  modality. 
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